Governance
Governance is what makes TapPass different from a proxy. Every request and response passes through a configurable pipeline that detects, redacts, blocks, or allows — and records a cryptographic audit trail of the decision.
The three layers you’ll use
Section titled “The three layers you’ll use”1. Governance Pipeline — the 49 steps that run on every call. Input validation → detection → policy → LLM call → output scan → audit. Pick which steps are on, how sensitive, and what they do on a hit.
2. Governance Flags — the per-request overrides your agent code sets. Mode, PII, email, budget, tools, files. One header, one parameter — nothing more invasive than that.
3. Compliance Evidence — export the audit trail as GDPR Art. 30 records, EU AI Act Art. 14 oversight proof, or SOC 2 Type II integrity attestation. No separate instrumentation.
What actually runs per call
Section titled “What actually runs per call”request ─▶ auth ─▶ detect (PII, injection, secrets…) ─▶ policy (OPA) │ ▼response ◀─ audit ◀─ output scan ◀─ LLM call ◀─ credentialsEach arrow is a chain of pipeline steps. Each step is configurable. Each decision is recorded with a hash-chained signature so an auditor can verify it later without trusting the server.
What you control, from outside in
Section titled “What you control, from outside in”| Layer | Who controls it | Changes take effect |
|---|---|---|
| Pipeline steps (on/off, thresholds, actions) | Platform team (server config, OPA policy) | Hot-reload |
| Flags (per-request overrides) | Agent developers (code or header) | Per call |
| Compliance exports | Compliance team (scheduled queries) | Runs on demand |
Read the three pages in order for the full picture.